Apple left users exposed to serious public security flaws for weeks: Former Apple security expert

Kristin Paget, a security researcher who worked at Apple until a few months ago, took to her blog to criticise the company for messing up the schedule of patching security exploits across iOS and OS X.

Paget specifically talks about the recent iOS 7.1.1 software update, which, along with Touch ID improvements, also comes with a number of WebKit security fixes. As with every release, Apple listed out the security bugs they fixed, along with the description and discovery credit for each bug on a public webpage. It does so for other product updates as well, including Safari for OS X 7.0.3, that was released around three weeks ago.

Paget compared the security bug fixes in WebKit, the underlying rendering engine that powers Safari on both platforms, and found that the two lists share a number of common bugs that were patched. Except that the Safari for OS X list was out three weeks before, giving hackers a gold mine for exploiting Safari on iOS.

Apparently someone needs to sit Apple in front of a chalkboard and make them write out 100 lines: “I will not use iOS to drop 0day on OSX, nor use OSX to drop 0day on iOS”.

Is this how you do business? Drop a patch for one product that quite literally lists out, in order, the security vulnerabilities in your platform, and then fail to patch those weaknesses on your other range of products for *weeks* afterwards? You really don’t see anything wrong with this?

Poll of the week!

Follow iPhone Hacks

Disclaimer

This website is not owned by, is not licensed by nor is a subsidiary of Apple Inc. iPhone is a trademark of Apple Inc. The content of this website is not supplied or reviewed by Apple Inc. All articles, images, logos and trademarks in this site are property of their respective owners. Please follow this link to read the complete disclaimer.